Sunday, March 6, 2016

Has The U.S. Found A "Privacy Shield" That The E.U. Can Live With?

Regular readers know I've been writing recently (here and here) about the collapse of the EU/US data privacy Safe Harbor framework and the efforts to negotiate a trans-Atlantic resolution. This is a major issue for U.S. organizations that do business in Europe or with Europeans.

On Monday (February 29), the U.S. Department of Commerce released a proposal (the "Privacy Shield") designed to "provide[] a set of robust and enforceable protections for the personal data of EU individuals." The Privacy Shield release is *just* 132 pages, which you can read here.

To rely upon the Privacy Shield framework, a U.S. based organization would be required to self-certify to the Department of Commerce and publicly commit to comply with the Privacy Shield's requirements. While joining the Privacy Shield framework will be voluntary, once an organization undertakes to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. Key elements are outlined in a "fact sheet" here, including the following:

The Privacy Shield contains seven distinct categories of "principles" including notice, choice, accountability for onward transfer, purpose limitation, recourse, enforcement and liability among others. (These should sound familiar to those who previously complied with the Data Protection Directive.)

U.S. entities will continue to self-certify.

U.S. entities will adopt a privacy policy statement which will become legally enforceable.

When a U.S. entity's privacy policy is available online, it must include a link to the Department of Commerce’s Privacy Shield website and a link to the website or complaint submission form to investigate individual complaints.

A U.S. entity must inform individuals of their rights to access their personal data, the requirement to disclose personal information in response to lawful request by public authorities, which enforcement authority has jurisdiction over the organization’s compliance , and the organization’s liability in cases of onward transfer of data to third parties.

Privacy Shield participants must limit personal information to the information relevant for the purposes of processing. Additional personal information may not be collected and retained.

To transfer personal information to a third party acting as a data controller, a Privacy Shield participant must:

Comply with the Notice and Choice Principles.

Enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles.

To transfer personal data to a third party acting as an agent, a Privacy Shield participant must:

Transfer such data only for limited and specified purposes;

Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;

Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;

Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and

Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.

Privacy Shield participants must respond promptly to inquiries and requests by the Department of Commerce for information relating to the Privacy Shield Framework.

Privacy Shield participants must make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC if the organization becomes subject to an FTC or court order based on non-compliance.

If an organization leaves the Privacy Shield Framework, it must annually certify its commitment to apply the Principles to information received under the Privacy Shield Framework if it chooses to keep such data or provide “adequate” protection for the information by another authorized means.

There's still a big question mark: A genuine uncertainty exists as to whether the proposal will be approved (i.e., deemed "adequate") in Brussels. If the EU determines that the Privacy Shield framework is adequate, the U.S. Department of Commerce will begin accepting certifications from U.S. organizations promptly.

Legal | Privacy Statement

This blog is written by, and reflects the personal views of, the author in his individual capacity. No representation is made about the accuracy of the information in this blog; the information contained in this blog is provided only as general information for educational purposes, and blog posts may or may not be updated subsequent to their initial posting. The information contained in this blog is not provided in the course of an attorney-client relationship and is not intended to constitute legal advice. This blog should not be used as a substitute for competent legal advice from a licensed attorney in your state. If you need legal advice, you should retain an attorney who is licensed in your jurisdiction and competent in the subject matter to provide that advice. If you wish, you can contact the author of this blog by telephone to inquire about engaging him and his law firm to assist your with your legal issues. Unless and until you receive a signed engagement agreement from the author's law firm, you are not a client of the author or his law firm. Do not sent any confidential information to the author without his express consent. Information you send to the author prior to a confirmation of engagement may not be subject to any attorney-client privilege and may result in an unintended disclosure of information. No representations regarding your privacy are made by the author of this blog. This blog is hosted by Blogger, a Google entity. The author of this blog makes no representations about the privacy policies and practices of Google. You can learn more about Google's privacy policies here.